Search form

The NSA is Making Us All Less Safe

The NSA is Making Us All Less Safe

"Computers are everywhere. They are now something we put our whole bodies into—airplanes, cars—and something we put into our bodies—pacemakers, cochlear implants. They HAVE to be trustworthy."–EFF Fellow Cory Doctorow

Cory’s right, of course. And that’s why the recent New York Times story on the NSA’s systematic effort to weaken and sabotage commercially available encryption used by individuals and businesses around the world is so important—and not just to people who care about political organizing, journalists or whistleblowers. Thanks to additional reporting, we now know it matters deeply to companies including Brazil’s Petrobras and Belgium’s Belgacom, who are concerned about protecting their infrastructure, negotiating strategies and trade secrets. But really, it matters to all of us.

We all live in an increasingly networked world. And one of the preconditions of that world has to be basic computer security—freedom to use strong technologies that are fully trustworthy.

Every casual Internet user, whether they know it or not, uses encryption daily. It’s the “s” in https and the little lock you see in your browser—signifying a secure connection—when you purchase something online, when you’re at your bank’s website or accessing your webmail, financial records, and medical records. Cryptography security is also essential in the computers in our cars, airplanes, houses and pockets.

What is the NSA Doing to Make Us Less Safe?

By weakening encryption, the NSA allows others to more easily break it. By installing backdoors and other vulnerabilities in systems, the NSA exposes them to other malicious hackers—whether they are foreign governments or criminals. As security expert Bruce Schneier explained, “It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.”

The New York Times presented internal NSA documents with some specifics. They are written in bureaucratese, but we have some basic translations:

“Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets”— Sabotage our systems by inserting backdoors and otherwise weakening them if there’s a chance that a “target” might also use them.

"actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" — Secretly infiltrate companies to conduct this sabotage, or work with companies to build in weaknesses to their systems, or coerce them into going along with it in secret.

“Shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS — Ensure that the global market only has compromised systems, so that people don’t have access to the safest technology.

"These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." — Make sure no one knows that the systems have been compromised.

“influence policies, standards and specifications for commercial public key technologies” — Make sure that the standards that everyone relies on have vulnerabilities that are hidden from users.

Each of these alone would be terrible for security; collectively they are a nightmare. They are also a betrayal of the very public political process we went through in the 1990s to ensure that technology users had access to real security tools to keep them safe.

Crypto Wars, Part I

Ensuring your ability to have real security and privacy online was one of EFF’s earliest goals and protecting your ability to use strong encryption was one of our first victories.

In the 1990s, the Clinton administration tried several things to ensure that our technologies were not very safe, including proposing the now-infamous "Clipper Chip," which sought to compel companies insert backdoors into commercial encryption technologies and enforcing export regulations that effectively prevented the development and distribution of strong encryption.

But in the 1990s, we had a long list of supporters for strong security online, including then-Senator (later Bush Attorney General) John Ashcroft, Senator (current Secretary of State) John Kerry, the National Association of Manufacturers, the U.S. Public Policy Committee of the Association for Computer Machinery, National Computer Security Association and the American Association For The Advancement Of Science.

At the time, the Internet Architecture Board and the Internet Engineering Steering Group, the bodies that oversee architecture and standards for the Internet, put it best, stating:

[a]s more and more companies connect to the Internet, and as more and more commerce takes place there, security is becoming more and more critical. Cryptography is the most powerful single tool that users can use to secure the Internet. Knowingly making that tool weaker threatens their ability to do so, and has no proven benefit.

(emphasis added). These risks have only increased substantially over the past 15-20 years, as virtually all records, both public and private are maintained electronically and stored in networked environments.

The Clipper Chip proposal was defeated in the late 1990s and the encryption regulations were rolled back shortly thereafter. And we thought the matter was settled: the government had no business sabotaging the security of digital devices or communications.

Cryto Wars Part II, Secrets and Lies

That’s why the revelations last week were so shocking and, frankly, angering. Having lost its efforts to make us less safe in Congress, in the public debate, and in the courts, the NSA simply thumbed its nose at our democratic mechanisms and proceeded to sabotage our security anyway—in secret.

Making matters worse, the NSA put itself on the front lines of “cybersecurity” debate, ostensibly because it was concerned about computer security of ordinary people and businesses. That is supposed to be one of NSA's roles. Yet, one of the most disturbing anecdotes from the New York Times story on encryption was the NSA meeting confidentially with companies under the guise of helping with cybersecurity but then using information they gleaned to weaken systems or induce the companies to do so:

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

This should give any company pause. It should give Congress pause when crafting dangerous new laws, like an “information sharing” bill just proposed by Sen. Feinstein, that give the NSA new powers. And it should give all of us pause as we consider whether the NSA has become an agency that believes itself to be above the law and beyond our democratic processes.

Time for Action

Thankfully, the recent disclosures have led to at least some change. The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.

And we’re beginning to see the international computer security community come to grips with this disturbing news.

But we must do more.

We must rebuild the broad coalition that fought the first crypto wars, including cryptographers, investors, businesses, developers, civil liberties groups, scientists and ordinary people.

We must expose the vulnerabilities that have been secreted into our technologies. Then we must demand that they be fixed in a way we can confirm on an ongoing basis.

We must ask standards bodies, companies and individual developers to pledge, publicly and unequivocally, to reject efforts to build backdoors or insert known vulnerabilities into their products—and create transparency so that they can't secretly cooperate with these efforts in the future.

We must build our own tools, and support the tools that already exist that are independently verifiable as secure (most prominently, open source tools).

We must support efforts in Congress to rein in the NSA and bring it back under the rule of law, and we must make sure that Congress specifically forbids the NSA from working to make our technologies less safe.

Related Updates

EFF's case challenging NSA spying, Jewel v. NSA, has come further than any case trying to end the government's mass surveillance programs. Our clients have survived multiple efforts by the government to end the case, and they continue to push for their day in court. As a result, we're no...

Over nearly two decades, the NSA has searched millions of Americans’ telephone call records—all without a warrant or, for the vast majority of these calls, any suspicion of wrongdoing. It’s time to end the mass telephone Call Detail Records (CDR) program once and for all. Please join us in ...

The U.S. government admits—and, of course, it’s common knowledge—that the NSA conducts mass, dragnet surveillance of hundreds of millions of Americans’ communications. It has done so via a series of different technical strategies and legal arguments for over 18 years. Yet the Justice Department insists that our legal fight against...

A federal court’s ruling earlier this week has blunted a key provision of the surveillance reform law that required the government to be more transparent about legal decisions made by the United States secret surveillance court. After Edward Snowden revealed the government’s ongoing mass collection of Americans’ telephone phone...

Oakland, California—On Friday, March 29, at 9:00 am, the Electronic Frontier Foundation (EFF) will tell a federal court that its clients should be allowed to proceed with their case challenging the constitutionality of NSA spying. The government’s latest attempts to prevent the court from evaluating the legality of surveilling millions...

Earlier this month, the New York Times published a major story reporting that the NSA has stopped using the authority to run its massive, ongoing surveillance of Americans’ telephone records. After years of fighting mass surveillance of telephone records, the story may make our jobs easier: NSA has consistently...

EFF is in it for the long run, especially in the important, hard fights for your rights. One of the longest running fights in online civil liberties is over your right to have a private conversation over a digital network. Whether it’s for our intimate relationships, our healthcare, our associations...

EFF has presented its full evidentiary case that the five ordinary Americans who are plaintiffs in Jewel v. NSA were among the hundreds of millions of nonsuspect Americans whose communications and communications records have been touched by the government’s mass surveillance regimes. This presentation includes a new...

In the United States, a secret federal surveillance court approves some of the government’s most enormous, opaque spying programs. It is near-impossible for the public to learn details about these programs, but, as it turns out, even the court has trouble, too. According to new opinions obtained by EFF last...